Authorization To Operate (ATO) - Glossary | CSRC

You are viewing this page in an unauthorized frame window.

This is a potential security issue, you are being redirected to https://csrc.nist.gov.

Official websites use .govA .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPSA lock ( Lock Locked padlock icon ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Search CSRC MENU Search Search

• Projects
• Publications Expand or Collapse

  Drafts for Public Comment

  All Public Drafts

  Final Pubs

  FIPS (standards)

  Special Publications (SPs)

  IR (interagency/internal reports)

  CSWP (cybersecurity white papers)

  ITL Bulletins

  Project Descriptions

  Journal Articles

  Conference Papers

  Books

• Topics Expand or Collapse

  Security & Privacy

  Applications

  Technologies

  Sectors

  Laws & Regulations

  Activities & Products

• News & Updates
• Events
• Glossary
• About CSRC Expand or Collapse

  Computer Security Division

  • Cryptographic Technology
  • Secure Systems and Applications
  • Security Components and Mechanisms
  • Security Engineering and Risk Management
  • Security Testing, Validation, and Measurement

  Applied Cybersecurity Division

  • Cybersecurity and Privacy Applications
  • National Cybersecurity Center of Excellence (NCCoE)
  • National Initiative for Cybersecurity Education (NICE)

  Contact Us

Information Technology Laboratory Computer Security Resource Center

• Projects
• Publications Expand or Collapse
  • Drafts for Public Comment
  • All Public Drafts
  • NIST Special Publications (SPs)
  • FIPS
  • NIST interagency/internal reports (NISTIRs)
  • ITL Bulletins
  • White Papers
  • Journal Articles
  • Conference Papers
  • Books
• Topics Expand or Collapse
  • Security & Privacy
  • Applications
  • Technologies
  • Sectors
  • Laws & Regulations
  • Activities & Products
• News & Updates
• Events
• Glossary
• About CSRC Expand or Collapse Computer Security Division
  • Cryptographic Technology
  • Secure Systems and Applications
  • Security Components and Mechanisms
  • Security Engineering and Risk Management
  • Security Testing, Validation, and Measurement
  Applied Cybersecurity Division
  • Cybersecurity and Privacy Applications
  • National Cybersecurity Center of Excellence (NCCoE)
  • National Initiative for Cybersecurity Education (NICE)
  Contact Us

Search Sort By Relevance (best match) Term (A-Z) Term (Z-A) Items Per Page 100 200 500 All Please fix the following: Search Reset

Glossary

A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z

authorization to operate

Share to Facebook Share to X Share to LinkedIn Share ia Email Abbreviations / Acronyms / Synonyms:

accreditation show sources hide sources CNSSI 4009-2015 approval to operate show sources hide sources CNSSI 4009-2015 ATO show sources hide sources CNSSI 4009-2015 security authorization (to operate) show sources hide sources CNSSI 4009-2015 Security Authorization (to Operate) Security Authorization(to Operate)

Definitions:

See authorization to operate (ATO). Sources: CNSSI 4009-2015 under security authorization (to operate) See Authorization (to operate). Sources: NIST SP 800-30 Rev. 1 under Security Authorization (to Operate) NIST SP 800-39 under Security Authorization(to Operate) Authorization to Operate; One of three possible decisions concerning an issuer made by a Designated Authorizing Official after all assessment activities have been performed stating that the issuer is authorized to perform specific PIV Card and/or Derived Credential issuance services. Sources: NIST SP 800-79-2 under ATO Official management decision given by a senior Federal official or officials to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security and privacy controls. Authorization also applies to common controls inherited by agency information systems. Sources: NIST SP 800-161r1-upd1 [11/1/2024 errata update] from NIST SP 800-53 Rev. 5 NIST SP 800-37 Rev. 2 from OMB Circular A-130 (2016) NIST SP 800-53 Rev. 5 from OMB Circular A-130 (2016) NIST SP 800-53A Rev. 5 from OMB Circular A-130 (2016) Formal declaration by a designated accrediting authority (DAA) or principal accrediting authority (PAA) that an information system is approved to operate at an acceptable level of risk, based on the implementation of an approved set of technical, managerial, and procedural safeguards. Sources: CNSSI 4009-2015 under accreditation The official management decision issued by a designated accrediting authority (DAA) or principal accrediting authority (PAA) to authorize operation of an information system and to explicitly accept the residual risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals. Sources: CNSSI 4009-2015 under approval to operate The official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls. Sources: CNSSI 4009-2015

About

See the identified Source document to understand each term-definition pair in its proper context.

Send inquiries about terminology to the Source's authors; NIST publications will usually include a contact email for that Source.

For other inquiries, such as comments about the Glossary's presentation and functionality, use this link.

See the Glossary homepage for more guidance.